1. Field of the Invention
The present invention relates generally to techniques for pooling identities and dynamically binding individual ones of the pooled identities to information transactions or segments thereof and, in particular, to techniques for dynamically binding real, routable internetworking addresses from a managed pool thereof to network connections, segments or even individual packets thereof.
2. Description of the Related Art
From its beginnings as a research collaboration tool used by a comparative handful of students and scientists, the Internet has become a nearly ubiquitous communication tool connecting people around the globe. Each day, individuals, businesses, and governments making increasing demands for Internet resources. As they do so, a large (but finite) set of identifiers—addresses—is depleted. For example, as numbers of wireless and wired network devices and services continue their explosive growth, even ordinary individuals use numerous devices, be they traditional computers, mobile phones, media players, digital entertainment systems or even appliances for which networked data communication is (or will be) available.
At the same time, the vulnerability of networked systems, configurations, software and information codings and protocols to unauthorized access or use have become widely recognized, at least by information security professionals. In general, these vulnerabilities can range from minor annoyances to critical national security risks. Today, given the ubiquitous nature of internet communications and the value of information and transactions hosted on the public internet, vulnerabilities are discovered and exploited at alarming rates. Automated tools facilitate the probing of systems and discovery of vulnerable systems and configurations. Once vulnerabilities are identified, exploits can be globally disseminated and rapidly deployed.
Network address translation (NAT) techniques have long been employed in devices (e.g., firewalls, routers or computers) that sit between an internal network and the rest of the world. In general, NAT implementations can employ static or dynamic mappings of “internal addresses” to “external addresses.” In perhaps the most widely adopted configurations, a port-level multiplexed NAT device overloads outgoing traffic originating from multiple internal addresses onto a single apparent external address, using a port assignment to index an address translation table that records the port mapping and allows return path communications to be mapped (at the NAT device) and directed to the actual internal address of the originator.
Conventional NAT techniques are well understood in the art, see generally RFC1631 (describing NAT); RFC1918 (allocating non-routable address ranges for private internets); and How NAT Works, Document ID 6450 (2006) (archived at http://www.cisco.com/warp/public/556/nat-cisco.pdf), and have provided an efficient mechanism for limiting the need to assign real routable addresses to an ever expanding population of clients, while affording certain nodes that reside behind a NAT device a significant degree of isolation from external threats.
Unfortunately, conventional NAT techniques have done little to mitigate exposure of hosts or services to threats such as those posed by abnormal/anomalous data flows, undesired exfiltration of information, spread of malware/worms on local/internal networks, distributed denial of service (DDOS) attacks, traceback to sources of malicious flows, etc. Improved techniques are desired.